You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Yifan Cai (Jira)" <ji...@apache.org> on 2022/11/08 23:49:00 UTC

[jira] [Commented] (CASSANDRA-17848) LIST PERMISSION can display incorrect resource name

    [ https://issues.apache.org/jira/browse/CASSANDRA-17848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17630665#comment-17630665 ] 

Yifan Cai commented on CASSANDRA-17848:
---------------------------------------

The root cause of the confusing value for the {{resource}} column is located at {{org.apache.cassandra.auth.FunctionResource#fromName}}. The implementation assumes the special characters (i.e. /, [ and ]) are not used in the function name, and uses those characters to parse the encoded function name string read from role_permissions table. 
However, quoted text is allowed as function names. It is permitted to have those characters in the function names, which breaks the parsing logic. 

In addition to the example in the description, it is allowed to create a function with `/` in the name, as long as it is quoted. 
{code:java}
CREATE FUNCTION cql_test_keyspace."my/amazing/udf"(input int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;';
{code}
Once the UDF is created, listing permission on the role breaks since `/` is used to determine if a resource is valid or not. 

> LIST PERMISSION can display incorrect resource name
> ---------------------------------------------------
>
>                 Key: CASSANDRA-17848
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17848
>             Project: Cassandra
>          Issue Type: Bug
>          Components: CQL/Interpreter
>            Reporter: Yifan Cai
>            Assignee: Yifan Cai
>            Priority: Normal
>
> When producing the resource name, it seems to assume that the content in the `[]` is the function's input type, where it could also be part of the function name, as long as it is quoted. Here is an example to reproduce. In cqlsh,
> {code:java}
> > CREATE FUNCTION test."admin_created_udf[org.apache.cassandra.db.marshal.LongType]"(input int) RETURNS NULL ON NULL INPUT RETURNS int LANGUAGE java AS 'return 42;';
> > LIST EXECUTE OF user;
>  role  | username | resource                                | permission
> -------+----------+-----------------------------------------+------------
>  user  |    user  | <function test.admin_created_udf(long)> |    EXECUTE
> (1 rows)
> {code}
> The input should be "int", but in the output, it says "long". 
> If the content enclosed by "[]" is not a valid class, the LIST PERMISSION request always fails for the user with "ConfigurationException: Unable to find abstract-type class".
> The bug is discovered by Piotr Sarna.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org